<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><base href="x-msg://951/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">To be consistent with JWK it should be the concatenation of the base64url encoded values.<div><br></div><div>It is probably worth mapping it to the JWK values like mod = n, exp = e we use them for EC.</div><div><br><div><div>On 2013-01-23, at 5:07 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div lang="EN-US" link="blue" vlink="purple" style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div class="WordSection1" style="page: WordSection1; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><a href="http://openid.net/specs/openid-connect-standard-1_0.html#self_issued.validation" style="color: purple; text-decoration: underline; ">Standard 5.5</a>, list item 5 says:<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; "><span lang="EN" style="font-family: Verdana, sans-serif; ">The Client MUST validate that the<span class="Apple-converted-space"> </span></span><tt style="font-family: 'Courier New'; color: rgb(0, 51, 102); "><span lang="EN" style="font-size: 12pt; ">sub</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; "><span class="Apple-converted-space"> </span>(subject) value is the base64url encoded SHA-256 hash of the concatenation of the key values in the<span class="Apple-converted-space"> </span></span><tt style="font-family: 'Courier New'; color: rgb(0, 51, 102); "><span lang="EN" style="font-size: 12pt; ">user_jwk</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; "><span class="Apple-converted-space"> </span>claim. When the<span class="Apple-converted-space"> </span></span><tt style="font-family: 'Courier New'; color: rgb(0, 51, 102); "><span lang="EN" style="font-size: 12pt; ">alg</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; "><span class="Apple-converted-space"> </span>value is<span class="Apple-converted-space"> </span></span><tt style="font-family: 'Courier New'; color: rgb(0, 51, 102); "><span lang="EN" style="font-size: 12pt; ">RS256</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; ">, the key values<span class="Apple-converted-space"> </span></span><tt style="font-family: 'Courier New'; color: rgb(0, 51, 102); "><span lang="EN" style="font-size: 12pt; ">mod</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; "><span class="Apple-converted-space"> </span>and<span class="Apple-converted-space"> </span></span><tt style="font-family: 'Courier New'; color: rgb(0, 51, 102); "><span lang="EN" style="font-size: 12pt; ">exp</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; "><span class="Apple-converted-space"> </span>are concatenated in that order. When the<span class="Apple-converted-space"> </span></span><tt style="font-family: 'Courier New'; color: rgb(0, 51, 102); "><span lang="EN" style="font-size: 12pt; ">alg</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; "><span class="Apple-converted-space"> </span>value is<span class="Apple-converted-space"> </span></span><tt style="font-family: 'Courier New'; color: rgb(0, 51, 102); "><span lang="EN" style="font-size: 12pt; ">ES256</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; ">, the key values<span class="Apple-converted-space"> </span></span><tt style="font-family: 'Courier New'; color: rgb(0, 51, 102); "><span lang="EN" style="font-size: 12pt; ">crv</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; ">,<span class="Apple-converted-space"> </span></span><tt style="font-family: 'Courier New'; color: rgb(0, 51, 102); "><span lang="EN" style="font-size: 12pt; ">x</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; "><span class="Apple-converted-space"> </span>and<span class="Apple-converted-space"> </span></span><tt style="font-family: 'Courier New'; color: rgb(0, 51, 102); "><span lang="EN" style="font-size: 12pt; ">y</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; "><span class="Apple-converted-space"> </span>are concatenated in that order.</span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">This language leaves it ambiguous whether the concatenated key values in Standard 5.5 supposed to be the base64url encoded values or the raw key bytes? Following the precedents in the JOSE specs, I assume that we would concatenate the base64url encoded values. Unless I hear objections, I’ll clarify the specs to say that.<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> Thanks,<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> -- Mike<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div></div>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" style="color: purple; text-decoration: underline; ">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" style="color: purple; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></div></blockquote></div><br></div></body></html>